Problem with W32.Sober.C@mm

Discussion in 'NOD32 version 2 Forum' started by Angelo Rossi, Jan 14, 2004.

Thread Status:
Not open for further replies.
  1. Angelo Rossi

    Angelo Rossi Guest

    Dear ESET support,
    we recently buy a Nod32 for Linux Mailserver from FuturTime, Rome. Everything fine, but now he does not recognize W32.Sober.C@mm. The virus come, and Nod only said "[NOD32: Not scanned]". Below you find details of an infected mail i tried to send to myself (without the .pif attachment). I think virus definition are updated. What can I do?

    ---------------------------------------------------------------------------------------

    Return-Path: <assistenza@infocom-consulting.it>
    Delivered-To: rouge@2
    Received: (qmail 6523 invoked from network); 14 Jan 2004 10:13:51 -0000
    Received: from unknown (HELO fep01-svc.flexmail.it) (212.131.248.100)
    by mail.infocom-consulting.it with SMTP; 14 Jan 2004 10:13:51 -0000
    Received: from Rouge ([81.74.75.3]) by fep01-svc.flexmail.it with SMTP
    id <20040114102109.BREH7059.fep01-svc.flexmail.it@Rouge>
    for <rouge@rouge.it>; Wed, 14 Jan 2004 11:21:09 +0100
    Message-ID: <001501c3da88$1dca23e0$0301a8c0@Rouge>
    From: "Assistenza Infocom" <assistenza@infocom-consulting.it>
    To: <rouge@rouge.it>
    Subject: [NOD32: not scanned] Virus
    Date: Wed, 14 Jan 2004 11:18:22 +0100
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
       boundary="----=_NextPart_000_0009_01C3DA90.212C4100"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2800.1158
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165

    This is a multi-part message in MIME format.

    ------=_NextPart_000_0009_01C3DA90.212C4100
    Content-Type: multipart/alternative;
       boundary="----=_NextPart_001_000A_01C3DA90.213568C0"


    ------=_NextPart_001_000A_01C3DA90.213568C0
    Content-Type: text/plain;
       charset="iso-8859-1"
    Content-Transfer-Encoding: quoted-printable

    Prova



    ________ Notification from NOD32 ________

    Warning: NOD32 Antivirus System for Linux Mail Server found the following infiltrations in this message:





    http://www.nod32.com
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hello,
    I suggest you send that email to support@nod32.com along with a short explanation of the problem, NOD32 detects Sober.C fine here.

    However, the only problem I see in the message is that the virus name does not appear in the tag message, but the attachement seems to be already deleted.
     
  3. Angelo Rossi

    Angelo Rossi Guest

    The virus isn't simply attached to this message, but i saw it in my mail !!! And yes, I tried to download the Nod32 trial for dos and he correctly delete the virus.
    Now I'll write to tech support, if anyone has an idea please reply !!!
    Thanks, and forgive me for my bad english.
     
  4. Rouge.it

    Rouge.it Registered Member

    Joined:
    Jan 14, 2004
    Posts:
    6
    Location:
    Salsomaggiore Terme, PR - Italy
    Re:problem with W32.Sober.C@mm

    Mark from ESET tell me there's a problem in IMON mod, who in some case do not recognize W32.Sober.C@mm. He said ESET is working for a solution. Someone got my same problem?
     
  5. GuestAgain

    GuestAgain Guest

    Just wondering if this affects ALL versions or only the Linux version that you have.........very bad.
     
  6. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    An official Eset reply/announcement seems the first way to go - no need for guessing and elaborate on that ;)

    regards.

    paul
     
  7. JustVisiting

    JustVisiting Guest

    Just wondering if this affects ALL versions or only the Linux version that you have.........very bad.



    An official Eset reply/announcement seems the first way to go - no need for guessing and elaborate on that
    ----------------------------------------

    I was NOT guessing and there will be no official announcement from Eset unless the question is asked...which I did.
     
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    JustVisiting/GuestAgain,

    No offense, but you are posting here anonymously, using two different guest names in only this thread alone. I for one do rely on a Eset rep answering this first and foremost.

    regards.

    paul
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    No need to worry about and exaggerate the threat. This problem used to occur very rarely and AMON would detect the worm anyway. Today's update 1.599 fixes the minor "bug".
     
  10. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Thanks Eset/Mark for this statement ;)

    regards.

    paul
     
  11. JustVisiting

    JustVisiting Guest

    But the question remains unanswered...........did it affect all versions or just the Linux version?
     
  12. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Nope - the question has been answered: read Marcos reply carefully, in particular:

    regards.

    paul
     
  13. JustVisiting

    JustVisiting Guest

    Paul,

    Is it so hard for you to let the Eset guys answer this question? The question does remain unanswered. Did this "minor bug" occur in all versions of NOD or only in the Linux version?[/u] It's a very simple question that I would like an an answer to.

    Saying that it would have been caught by AMON is not the answer to my question.......
     
  14. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Not at all - merely wanted to express my point of view - in reality, no harm could be done.

    In case you feel like this, it's not to up to me to comment as I understand it.

    In reality: I do believe it is - but that's merely my opinion ;)

    regards.

    paul
     
  15. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The problem was that Sober.C altered MIME files to prevent AV programs from detecting it. However, as I alredy said it used to happen very rarely that a mail checker did not pick up the worm. And yes, the problem was related to all flavors of NOD32. At any rate, AMON would detect it without any problems.
     
  16. Rouge.it

    Rouge.it Registered Member

    Joined:
    Jan 14, 2004
    Posts:
    6
    Location:
    Salsomaggiore Terme, PR - Italy
    The problem, for me, is fixed.
    I try to send the same virus, and now it is detected correctly.
    Mark, thanks a lot.

    Just a question:

    This virus come on december, 20th. The problem started here or an update definition was the cause ?

    Thanks for your answer.
     
  17. JustVisiting

    JustVisiting Guest

    And yes, the problem was related to all flavors of NOD32
    --------------------------------

    Thank-you for the reply.
     
  18. Rouge.it

    Rouge.it Registered Member

    Joined:
    Jan 14, 2004
    Posts:
    6
    Location:
    Salsomaggiore Terme, PR - Italy
    After applying a new nod32.002 file from Mark (thank again), I already have the same problem. I attach a virus not recognized as a text file, if someone wants to make a try and verify if his NOD32 works fine.
    Be carefull with the attachment !!!





    Attachment removed - Pieter
     
Thread Status:
Not open for further replies.